From 6ebe9b9a20a15ff9488533d3d3453928da5420b4 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Fri, 24 Jul 2020 11:56:49 -0500
Subject: [PATCH] ci: Always skip tasks tagged "install"

Software should never be installed or updated by the continuous
enforcement jobs.  This can cause unexpected outages or other problems
if applications or libraries unexpectedly.  Everything should already be
installed and in production before continuous enforcement begins, so
skipping install steps should not matter.

Most tasks that install software are tagged with the `install` tag.
When Jenkins runs `ansible-playbook` to apply configuration policy, it
will now skip any task that includes this tag.
---
 vars/applyConfigPolicy.groovy | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/vars/applyConfigPolicy.groovy b/vars/applyConfigPolicy.groovy
index 17c7278..843339d 100644
--- a/vars/applyConfigPolicy.groovy
+++ b/vars/applyConfigPolicy.groovy
@@ -72,7 +72,8 @@ def generateStages(stages) {
                     playbook: playbook,
                     become: true,
                     vaultCredentialsId: 'ansible-vault',
-                    extras: '--diff'
+                    extras: '--diff',
+                    skippedTags: 'install'
             }
         }
     }